How to implement Microsoft Entra ID authentication and group checks in a Delphi XE3 VCL application?

Closed. This question needs to be more focused. It is not currently accepting answers.

Want to improve this question? Guide the asker to update the question so it focuses on a single, specific problem. Narrowing the question will help others answer the question concisely. You may edit the question if you feel you can improve it yourself. If edited, the question will be reviewed and might be reopened.

Closed 2 months ago.

Improve this question

I am tasked with updating a legacy Windows VCL application, built in Delphi XE3, to change its authentication method. Currently, it uses direct LDAP queries against an on-premise Active Directory to authenticate a user and check their membership in a specific security group.

The requirement is to replace this with authentication against Microsoft Entra ID (formerly Azure Active Directory).

Current Process:

The app takes a username and password.
It performs an LDAP bind to an on-premise AD server.
On success, it queries the user's memberOf attribute to verify membership in a required group.

The Technical Challenge: My research points towards using OAuth 2.0/OIDC for the authentication flow and the Microsoft Graph API to check for group membership. However, I am facing a knowledge gap on how to implement this within the constraints of a native Delphi XE3 application. The majority of Microsoft's documentation targets web apps or newer frameworks.

Any advice on this would be much appreciated.

edited Sep 17 at 7:10

mjn

36.7k30 gold badges184 silver badges392 bronze badges

asked Sep 15 at 12:00

PDM

6332 gold badges14 silver badges29 bronze badges

Is it assumed that the app will be run while the user is already logged in to Windows using their AD account, or that it will be run while the computer is logged in to Windows using some kind of "generic/shared" non-AD account?

grawity
– grawity

2025-09-15 14:28:36 +00:00
Commented Sep 15 at 14:28
The app will be run while the user is logged in to Windows using their Azure AD account.

PDM
– PDM

2025-09-15 15:39:33 +00:00
Commented Sep 15 at 15:39
1

Then does it really need its own login window? (Indeed did it need one with traditional AD?) What advantages does that bring, over just relying on OS having authenticated the user, and asking the OS about current group membership?

grawity
– grawity

2025-09-15 15:45:14 +00:00
Commented Sep 15 at 15:45
This is a broad question, maybe it should be split up into separate parts. For OAuth2 / OIDC you may find some first steps (built on top of Indy - github.com/IndySockets) here: blog.habarisoft.com/2024/11/…

mjn
– mjn

2025-09-16 06:15:49 +00:00
Commented Sep 16 at 6:15
1

Almost a duplicate of stackoverflow.com/questions/61171729/… - with accepted solution: "AcquireTokenSilentAsync: gives you directly a new access token for the same logged in user."

mjn
– mjn

2025-09-16 11:47:17 +00:00
Commented Sep 16 at 11:47

| Show 1 more comment

0

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Collectives™ on Stack Overflow

How to implement Microsoft Entra ID authentication and group checks in a Delphi XE3 VCL application? [closed]

0

Linked

Hot Network Questions